CVE-2024-9473

Execution with Unnecessary Privileges (CWE-250)

Published: Oct 9, 2024 / Updated: 41d ago

010
CVSS 5.2EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.

Impact

This vulnerability could allow a local, non-administrative user to gain SYSTEM-level privileges on a Windows machine running the affected GlobalProtect app. This level of access would give the attacker full control over the system, potentially leading to unauthorized access to sensitive data, installation of malware, or further lateral movement within the network.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability data does not provide specific information about a patch. However, given the nature of the vulnerability and its recent disclosure, it's likely that Palo Alto Networks will release a security update for the GlobalProtect app to address this issue.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Limit local user access to only trusted individuals on systems running GlobalProtect. 2. Monitor for any suspicious activities or unauthorized privilege escalations on affected systems. 3. Implement the principle of least privilege across your network to minimize the potential impact of successful exploits. 4. Consider temporarily disabling the repair functionality of the GlobalProtect .msi file if feasible in your environment. 5. Keep an eye out for security advisories from Palo Alto Networks and apply any recommended patches or updates as soon as they become available.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9473. See article

Oct 9, 2024 at 4:03 PM / Palo Alto Networks Security Advisories
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 9, 2024 at 4:04 PM
CVE Assignment

NVD published the first details for CVE-2024-9473

Oct 9, 2024 at 5:15 PM
CVSS

A CVSS base score of 5.2 has been assigned.

Oct 9, 2024 at 5:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 10, 2024 at 9:48 AM
CVSS

A CVSS base score of 7.8 has been assigned.

Oct 15, 2024 at 6:56 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209283)

Oct 18, 2024 at 9:16 PM
Threat Intelligence Report

CVE-2024-9473 is a critical local privilege escalation vulnerability in the MSI installer of Palo Alto Networks GlobalProtect, which was acknowledged by the vendor after being reported in November 2023. As of October 2024, a patch has been released to address the issue, but there is no information provided regarding its CVSS score, exploitation in the wild, or proof-of-concept exploits. The advisory indicates that the vendor has now mitigated the vulnerability, but potential downstream impacts on third-party vendors or technologies are not mentioned. See article

Oct 21, 2024 at 1:31 PM
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/globalprotect
+null more

Patches

security.paloaltonetworks.com
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

References

CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)
A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect. Product Integrity LOW
Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey
This article by our researcher Michael Baer for the SEC Consult Vulnerability Lab will explain different attacks against MSI installers and present an open-source analyzer tool named "msiscan" in order to automatically detect potential security issues. Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to escalate their privileges to SYSTEM rights.

News

[no-title]
Prisma Cloud Compute Cortex XDR Agent 8.6
Third-Party Software Update Catalog Release History – October 2024
Third-Party Software Update Catalog Release History – October 2024 In October 2024, our third-party software update catalog for Microsoft SCCM contained 1457 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for October 2024. 1457 Total Updates 512 Security Updates 439 of the 512 security updates include CVE-IDs 105 New Products New Products: Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x86) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x86) Amazon Athena ODBC Driver 2.0.3.0 (MSI-x64) Apache Tomcat 11.0 (EXE-x64) Autodesk AutoCAD Mechanical 2022 v26.0.76.0 (EXE-x64) Autodesk AutoCAD Mechanical 2023 v27.0.77.0 (EXE-x64) Autodesk AutoCAD Mechanical 2024 v28.0.91.0 (EXE-x64) Autodesk AutoCAD Mechanical 2025 v29.0.73.0 (EXE-x64) AWP Identity Manager 5.3.5.385 (MSI-x64) AWP Identity Manager 5.3.5.385 (MSI-x86) Cherry Keys 1.0.7.0 (MSI-x64) Cherry Keys 1.0.7.0 (MSI-x86) Connective Signing Plugins 2.0.9.0 (MSI-x86) Dell Peripheral Manager 1.7.6.0 (EXE-x64) DigiDoc4 Client 4.6.0.5305 (MSI-x64) Drata Agent 3.6.1.0 (User-x64) eBuddy 12.4.2.32082 (MSI-x86) eID Software 24.10.18.8368 (EXE-x64) Elgato 4K Capture Utility 1.7.13.6046 (MSI-x64) Elgato Camera Hub 1.11.0.4066 (MSI-x64) Elgato Control Center 1.7.1.600 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x86) EUROMOD 3.7.6.0 (EXE-x64) FastCopy 5.8.0.0 (User-x64) GitHub Desktop 3.4.8 (User-x64) Go Integrator Cara 4.5.0.8688 (EXE) Helix Visual Client P4V 242.43.2.0 (EXE-x64) Helix Visual Client P4V 242.43.2.0 (MSI-x64) INI Viewer and Editor 2.11.0.0 (EXE-x64) Input Director 2.3.0.0 (EXE-x64) Iridium Browser 116.0.0.0 (MSI-x64) Iridium Browser 116.0.0.0 (MSI-x86) JetBrains Rider 2022 223.8836.53.0 (EXE-x86) JetBrains Rider 2023 233.15026.35.0 (EXE-x86) JetBrains Rider 2024 242.23726.100.0 (EXE-x86) JetBrains Rider Latest 242.23726.100.0 (EXE-x86) JetBrains Space 2023.1.7.0 (User-x64) ksnip 1.10.1.0 (MSI-x64) LAV Filters 0.79.2.0 (EXE-x86) LocalSend 1.15.4.0 (EXE-x64) LocalSend 1.15.4.0 (User-x64) MailStore Client 24.100.22356.0 (MSI-x86) MailStore Outlook Add-in 24.100.22356.0 (MSI-x86) MaxCut 2.9.3.4 (EXE-x86) MerciApp 2.6.12 (User-x64) Microsoft Visual Studio Tools for Applications 2015 14.0.23829.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2017 15.0.26717.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2019 16.0.31110.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2022 17.0.33529.0 (EXE-x86) Monosnap 5.1.13.0 (User-x64) Mozilla Firefox ESR 128.3.0 (x64 ja) Mozilla Firefox ESR 128.3.0 (x86 ja) Mozilla Thunderbird 128.3.0 (x64 de) Mozilla Thunderbird 128.3.0 (x64 ES-es) Mozilla Thunderbird 128.3.0 (x64 fr) Mozilla Thunderbird 128.3.0 (x64 it) Mozilla Thunderbird 128.3.0 (x86 de) Mozilla Thunderbird 128.3.0 (x86 ES-es) Mozilla Thunderbird 128.3.0 (x86 fr) Mozilla Thunderbird 128.3.0 (x86 it) MTPuTTY 1.8.5.0 (EXE-x86) MTPuTTY 1.8.5.0 (User-x86) NetPad 0.8.0.0 (EXE-x64) NetPad 0.8.0.0 (User-x64) Nuclino 1.6.5.0 (User-x64) Nullsoft Scriptable Install System 3.10.0.0 (EXE-x86) NVivo 15.0.0.12 (EXE-x64) Octoparse 8.7.2.0 (EXE-x64) Oracle VirtualBox 7.1.2 (EXE-x64) Oracle VirtualBox Latest 7.1.2.0 (EXE-x64) Pix4Dmatic 1.63.1.0 (MSI-x64) Power BI ALM Toolkit 5.1.3.0 (MSI-x64) Prowise Presenter 1.0.0.0 (EXE-x64) Prowise Presenter 1.0.0.0 (MSI-x64) Prowise Reflect 1.2.0.0 (EXE-x86) PrusaSlicer 2.8.1.0 (EXE-x64) PVSOL 2024 v2024.4.0.0 (EXE-x86) PVSOL premium 2024 v2024.8.0.0 (EXE-x86) PVsyst 7.4.8.0 (EXE-x64) Python 3.13.150.0 (EXE-x64) Python 3.13.150.0 (EXE-x86) QENC Decrypter 1.2.0.22173 (EXE-x86) QNAP Qfinder Pro 7.11.1.0726 (EXE-x86) QNAP Qsync Client 5.1.6.0906 (EXE-x86) QuDedup Extract Tool 1.1.5.24208 (EXE-x86) Rainbow 2.139.2.0 (MSI-x86) Rainbow 2.139.2.0 (User-x64) Rancher Desktop 1.16.0.0 (MSI-x64) Regression Suite Automation Tool 2.7.16771.39 (MSI) SBC Configuration Wizard 2.31.0.0 (EXE-x86) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x64) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x86) Syslog Viewer 2.25.0.0 (EXE-x64) Tableau Desktop 2024.2 24.2.1060.0 (EXE-x64) Tableau Desktop 2024.3 24.3.425.0 (EXE-x64) Tableau Prep Builder 2024.2 24.2.40000.0 (EXE-x64) Tableau Prep Builder 2024.3 24.3.40066.0 (EXE-x64) Termius 9.8.3.0 (User-x64) Voxbi 2.11.46.0 (MSI-x86) WinDirStat 2.0.3.832 (MSI-x64) WinDirStat 2.0.3.832 (MSI-x86) WinZip 29.0.16250.0 (MSI-x64) Updates Added: (Oldest to Newest) 1Password 8.10.46 (MSI-x64) 1Password 8.10.46 (User) Release Notes for 1Password 8.10.46 Release Type: ⬤ ⬤ Scan Detection Ratio 0/60 VirusTotal Latest Scan Results (MSI-x64) Scan Detection Ratio 0/70 VirusTotal Latest Scan Results (User) Advanced Installer 22.1.0 (MSI-x86) Release Notes for Advanced Installer 22.1.0 (MSI-x86) Release Type: ⬤
Update Sun Oct 27 14:34:00 UTC 2024
Update Sun Oct 27 14:34:00 UTC 2024
Update GP 6.3.1-376 to 6.3.1-383 problem
My org is currently using GP 6.3.1-376 client. We are looking to patch the following vulnerability. https://security.paloaltonetworks.com/CVE-2024-9473 The problem is when trying to install GP 6.3.1-383 on computer with GP 6.3.1-376, it halts the install stating "Unable to install because a newer version of this product is already installed. I know I could just script it to remove 376 and install 383 afterwards but just curious if this is by design since it's just a build update or if it's a bug in the installer. Anyone else notice this? submitted by /u/Jedistreve [link] [comments]
Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey
This article by our researcher Michael Baer for the SEC Consult Vulnerability Lab will explain different attacks against MSI installers and present an open-source analyzer tool named "msiscan" in order to automatically detect potential security issues. Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to escalate their privileges to SYSTEM rights.
See 31 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI